DigitalOcean

Report this

What is the reason for this report?
Question

How to secure important credentials (used in Node.js application code) in separate side utility

Posted on November 6, 2017
Security
Linux Basics
Linux Commands
Ubuntu 16.04
Node.js
Muhammad Hannan

By Muhammad Hannan

I have a special requirement, have gone through the site but have not found any matching my need. I want to secure:

  • DB Connection Credentials
  • Session Secret Key
  • Security Token, Encryption/Decryption Keys
  • 3rd Party API credentials

I do not want these important credentials written or visible in my Node.js application code. However, it is recommended that I store these important credentials and keys in a separate utility. I wonder where and how I should store these credentials in what way, that it returns decryption information to my Node.js application.

In my mind there are number of possible ways:

  1. Use any Linux utility which does required job for me, and this way I can run Linux commands directly in my Node.js application and get the output for use.
  2. Use any C++ program on my Linux machine that does the required job for me?
  3. Or could I use PHP script that hold the important credentials in encrypted format, and return me decrypted credentials when required.
  4. Use any 3rd party program/service on the server?
  5. By use Docker Container? (https://security.stackexchange.com/a/157162/137890)
  6. By holding credentials file in any other machine, then on Node.js application boot/start, we follow Master, client process strategy. In this strategy, mount the credentials file, read and load the credentials in memory/variables, then unmount the credentials file. And initiate the child Process that actually run our Node.js Application (which will get the connectivity credentials from Master process).

Please advise with your appropriate solutions, this is important so in case of any hack attempt my other communication servers(DB Server, API Server, etc) remain secure.

This is related to: http://cwe.mitre.org/data/definitions/259.html But looking for a sulution in the domain/boundary of Node.js / Linux.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Marko Mudrinić
Marko Mudrinić
November 6, 2017

There’s no universal solution to this problem but let’s try to sketch out something…

One of the Linux utilities could be environmental variables. You put them directly on the system running and they’re not in code. However, it’s really big security risk to store sensitive data in environmental variables as anybody and any program can read them. As your data is sensible, this solution you should not use it.

So, as you want to keep secrets out of the code, it’s probably good idea to use some third party utility.

Writing C++ program or PHP script could work, but keep in mind that writing your own encrypting solutions and so is almost always bad idea.

It’s best idea to use something already available such as Hashicorp’s Vault. You can play around their API to make it work with Node.js. There’s also some of the Node.js+Vault solutions available such as node-vault, but I’m not sure does it have all features.

There’s a great article, An Introduction to Managing Secrets Safely with Version Control Systems, on our community about storing sensible data, covering VCS, Vault and such solutions, which you should read if you didn’t already.

0
Pik9
Pik9
March 2, 2020

It’s a bit late, but I created a node package for that: schluessel

It’s inspired by the Ruby on Rails approach to store credentials in your code: Your secrets get encrypted, so you can safely push your encrypted vault file to your Repo, as long as you keep the key out of it. You can access your secrets then by just surrendering the key via an environment variable.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.